After a flurry of complaints, O2 engineers appear to have shut off the proxy server quirk that leaked to websites the phone numbers of punters browsing the net on 3G connections.
The disclosure that affected all users of O2's 3G network on iPhone and Android in the UK was highlighted earlier today. O2 has yet to issue an …

How long had this been going on?

First highlighted in something like 2009, when a number of networks were fingered for doing much the same. Goodness knows how long previously to that, but we can safely assume it had didn't start right then.

Headers

I've read somewhere else today that every network has the number attached as one of the headers whilst it's floating inside their own network, for billing, diagnostics etc. but is stripped out before being sent outside.

So my guess is somebody ran a test and forgot to put the filter back on.

Giff Gaff

Another change

As of today, there's a daily limit to how much data you can use on PAYG. It used to be that even if you went over the bolt-on limits etc, you could use as much as you liked for £1 a day. Now I've just got a message saying I've used today's maximum (don't know what that is).

I suspect they had to change some kit to enable this, and misconfigured it/left the default configuration in place.

Re: The "Unlimited" Limit

If I vaguely remember correctly, that was changed from either 100MB or 200MB (according to their verbal T&Cs on the "Bolt Ons info" IVR section) to something ridiculously low (either 10MB or 50MB) , a few months ago - presumably as a result of people abusing it for streaming media.

(I'll admit that I used to use Mobbler quite heavily over UMTS, whilst commuting to university, after I figured out how to tune its bitrate settings, so that tracks didn't play at twice their proper speed).

Controlled trial

I have two devices connected through O2. One is my regular 'phone, and its number is public, easy to find, and known by many. The other is my pocket-puter, whose number I make no attempt to remember, and never give to anyone, but which gets used for almost all my web access on the move (with the exception of railtrack, whose website works much better on the smaller phone).

Observation: the phone whose number is public gets all the spam.

Inference: spammers aren't abusing the information formerly sent to them by O2. I expect they hadn't discovered it.

However...

A few giffgaff (O2 MVNO) newbies report increased levels of SMS spam (accident compensation scams and the like) since porting in. Coincidence, insider selling details, or this flaw? Who knows...

IMO the whole thing is rather overstated, with the risk being theoretical more than practical, but not 100% reassuringly so. I'd imagine ad servers have been above-averagely aggressive in harvesting the information.